Banking Regulation 2026 Comparisons

Key Laws and Regulations

The banking sector in Luxembourg operates under a comprehensive legal and regulatory framework that integrates both national legislation and European Union directives and regulations. The backbone of Luxembourg’s banking framework is the Law of 5 April 1993 on the Financial Sector (LFS), as amended, which governs authorisation, prudential supervision, conduct of business, and organisational requirements for credit institutions established in Luxembourg. In addition, the banking regulatory web is also based on the following major legal texts:

• Directive 2013/36/EU (CRD IV), as amended, and Regulation (EU) No 575/2013 (CRR), as amended, establishing prudential requirements for credit institutions and investment firms; CRD IV is implemented through the LFS, while the CRR is directly applicable;
• Directive 2014/59/EU (BRRD) – transposed into Luxembourg law by the Law of 18 December 2015 on the failure of credit institutions and certain investment firms (the 2015 Law), establishing recovery and resolution planning requirements; together with the Single Resolution Mechanism Regulation (Regulation (EU) No 806/2014), it forms the EU bank resolution framework;
• Directive (EU) 2015/849 (AMLD IV), as amended - implemented through the Law of 12 November 2004 on the fight against money laundering and terrorist financing; the new AML package adopted in 2024, comprising the EU AML Regulation, Directive (EU) 2024/1640 (AMLD VI) and the establishment of a pan-European AML authority (AMLA), will overhaul the regime by July 2027;
• Directive 2014/49/EU (DGSD) – transposed by the 2015 Law, ensuring depositor protection up to EUR100,000 per depositor;
• Regulation (EU) 2022/2554 (DORA) – applicable from January 2025, introducing harmonised rules on ICT risk management, operational resilience and third-party service oversight;
• Directive 2014/65/EU (MiFID II) – implemented through the LFS, setting conduct of business and investor protection standards for investment services, complemented by Regulation (EU) No 600/2014 (MiFIR);
• Regulation (EU) 2023/1114 (MiCA) – directly applicable from June 2024 for stablecoin issuers and from December 2024 for crypto-asset service providers, introducing the EU’s first harmonised framework for crypto-assets;
• Regulation (EU) 2016/679 (GDPR) – directly applicable, imposing strict data protection, privacy and governance requirements;
• Directive (EU) 2015/2366 (PSD II) – transposed by the Law of 20 July 2018 amending the Law of 10 November 2009 on payment services, regulating payment services, e-money and strong customer authentication (the 2009 Law); and
• Regulation (EU) No 648/2012 (EMIR) – directly applicable, setting out requirements for derivatives clearing, risk mitigation and reporting.

The Luxembourg regulatory regime is further supported through CSSF regulations and circulars and guidelines issued by the European Banking Authority, which complement the laws and regulations and specify the application thereof.

Supervisory Authorities

The Commission de Surveillance du Secteur Financier (CSSF) and the European Central Bank (ECB) are the principal supervisory authorities responsible for licensing and overseeing credit institutions in Luxembourg. Under the Single Supervisory Mechanism (SSM), significant credit institutions are directly supervised by the ECB, while less significant institutions remain under the direct supervision of the CSSF within a harmonised European framework. The Banque Centrale du Luxembourg (BCL) contributes to monetary policy implementation, liquidity monitoring, and macroprudential oversight as part of the European System of Central Banks (ESCB), working in close co-operation with both the ECB and the CSSF. The BCL also co-ordinates with the Ministry of Finance on matters relating to financial stability and macroprudential policy.

Authorisation Requirement

A legal entity intending to carry out the business activity of a credit institution in Luxembourg must first obtain written authorisation pursuant to the LFS and the SSM conferring specific tasks on the ECB concerning policies relating to the prudential supervision of credit institutions (the Single Supervisory Mechanism Regulation or SSM). Under the LFS, a credit institution is defined as an undertaking whose business consists in receiving deposits or other repayable funds from the public and granting credits for its own account.

Institutions incorporated outside the European Economic Area (EEA) are required to obtain a licence from the competent Luxembourg authorities before commencing operations in Luxembourg. In contrast, credit institutions authorised in another EEA member state may provide banking services in Luxembourg by exercising their passporting rights under Directive 2013/36/EU (the Capital Requirements Directive), subject to compliance with applicable notification procedures.

Operating as a credit institution without proper authorisation constitutes a criminal offence under Luxembourg law and may give rise to both administrative sanctions (including fines) and criminal prosecution. The authorisation process ensures that only entities meeting stringent prudential, governance, and conduct requirements – set forth in the LFS and relevant EU legislation – are permitted to operate as banks in Luxembourg.

Application Process, Timeline and Regulator Engagement

Potential applicants seeking a banking licence in Luxembourg must submit their application to the CSSF. The CSSF conducts an initial assessment under national law and, in the case of significant credit institutions within the meaning of the SSM, submits a draft decision to the ECB. If the ECB raises no objections or approves the draft decision, authorisation is granted to the applicant. For less significant institutions, authorisation is granted directly by the CSSF following notification to the ECB.

The application must include, among other things:

• detailed information on the legal form and structure of the applicant;
• a programme of activities and business plan;
• evidence of central administration and infrastructure in Luxembourg, including robust risk management policies, governance arrangements, and adequate internal control mechanisms;
• details regarding shareholding structure and qualifying holdings;
• documentation demonstrating the professional repute and experience of members of the management body (fit and proper assessments);
• information on capital structure together with evidence of paid-up initial capital (minimum EUR8.7 million); and
• annual accounts audited by an approved statutory auditor.

Timeline

Upon receipt of an application, the CSSF first conducts a completeness check. Once deemed complete, a full review follows, which typically involves iterative engagement with applicants through requests for clarifications or additional documentation. As per the LFS, the CSSF must reach a decision within six months from submission of a complete file – ie, when all required information has been provided – but not later than twelve months from initial submission. In practice, straightforward applications are generally processed within six to nine months; more complex cases may take up to 12 months.

Activities Covered and Restrictions

A bank granted a banking licence in Luxembourg is authorised to provide typical banking services such as deposit-taking, lending, financial leasing, guarantees, money market operations, and other financial services as enumerated in Annex I of the LFS. In addition to these core activities, a licensed bank may also offer payment services, issue electronic money and provide investment services; however, it must comply with all applicable provisions set out in sector-specific legislation (for example, the 2009 Law, the Law of 30 May 2018 on markets in financial instruments, and any relevant laws governing crypto-assets). Where required by law or regulation – particularly for novel or high-risk activities – additional registration or notification obligations may apply.

Each service offered by a bank must form part of its business plan as communicated to the CSSF at the time of authorisation or subsequently updated if new activities are contemplated. Any material change or extension to the range of permitted activities generally requires prior notification to or approval by the CSSF.

Banks are prohibited from engaging in non-financial commercial and industrial business activities as well as insurance services except where such activities are strictly ancillary to their financial business (for example, acquisition or management of collateral). This prohibition serves to safeguard prudential soundness and prevent conflicts between banking operations and unrelated commercial interests.

Ancillary and Complementary Activities

Banks in Luxembourg are permitted to offer a range of ancillary activities in connection with their provision of investment services, as defined under the LFS and relevant EU legislation. These ancillary activities include:

• safekeeping and administration of financial instruments for clients;
• granting credits or loans to investors for the purpose of carrying out transactions involving one or more financial instruments, where the bank is involved in the transaction;
• advice to undertakings on capital structure, industrial strategy, and related matters, as well as advice and services relating to mergers and acquisitions;
• foreign exchange services where these are connected with the provision of investment services;
• investment research and financial analysis concerning transactions in financial instruments; and
• services related to underwriting and placement of financial instruments on a firm commitment or best efforts basis.

All such ancillary services may only be offered insofar as they are directly related to the investment services provided by the bank.

Passporting and Cross-Border Activities

Luxembourg banks benefit from the European passport regime under CRD IV, which enables them to provide banking services across the EEA either on a cross-border basis or through the establishment of branches, without requiring separate local licences or incorporation of new entities in host countries. A Luxembourg-authorised bank intending to provide cross-border services or establish a branch in another EEA member state must notify the CSSF of its intentions. The CSSF is then required to notify the competent authority of the host member state within one month; activities may commence following this notification process, subject to any additional requirements imposed by host authorities – particularly in cases involving branch establishments.

The establishment of branches or subsidiaries outside the EEA requires prior approval from the CSSF before operations can begin.

Non-EEA credit institutions wishing to offer banking services in Luxembourg must obtain full authorisation from the CSSF, whether operating through a branch or by establishing a subsidiary. A subsidiary incorporated in Luxembourg is treated as a separate legal entity and is subject to all authorisation requirements applicable to domestic credit institutions. A branch does not constitute a distinct legal entity but must nevertheless receive a banking licence from the CSSF; this process includes an assessment of both the foreign parent institution and its group structure. In such cases, close co-operation between the CSSF and the relevant foreign supervisory authority is expected, particularly with respect to prudential standards and ongoing supervision.

Requirements Governing Change in Control

The acquisition, direct or indirect, of a qualifying holding in a Luxembourg credit institution or any further increase in such a holding is subject to prior notification and approval by the CSSF. Notification must be made for any transaction that would result in:

• acquiring or reaching or exceeding the 10%, 20%, 33 1/3%, or 50% thresholds of capital or voting rights; or
• the credit institution becoming a subsidiary of the acquirer.

Any person intending to reduce their participation below these thresholds must notify the CSSF in advance, without approval.

These thresholds apply to both direct and indirect holdings (including concerted action), and the CSSF examines the entire shareholding structure up to the ultimate beneficial owner(s). For indirect holdings, the CSSF applies the control criterion and the multiplication criterion to determine the participation percentages.

There are no blanket prohibitions on the acquisition of qualifying holdings; however, all acquirers, regardless of nationality, must satisfy the CSSF’s prudential requirements.

Regulatory Filings and Assessment Procedure

Any person intending to acquire, increase, or decrease a qualifying holding in a Luxembourg credit institution must submit a formal notification to the CSSF in accordance with the LFS, relevant EU legislation, and supporting CSSF circulars. Notification is effected by submitting a notification letter to the CSSF accompanied by all relevant documentation and information supporting the transaction. The notification must include, among other things:

• identification of the proposed acquirer(s);
• structure of the transaction;
• detailed information on the acquirer’s financial situation, business reputation, and fitness;
• the source and proof of funds used for the acquisition;
• information on future strategic plans, including any intended changes in governance arrangements, business model, or risk profile; and
• fit and proper assessments for shareholders and directors.

The CSSF acknowledges receipt of the notification within two working days from receipt. The assessment period is sixty working days commencing from acknowledgement that the file is complete; this period may be extended once by up to thirty additional working days if further information is requested from the applicant. To avoid delays, especially in complex transactions, pre-filing discussions with the CSSF are strongly recommended.

The examination of a notification focuses on five key assessment criteria:

• the reputation (integrity and professional competence) of the proposed acquirer;
• the reputation and experience of those who will direct the business;
• the financial soundness of the acquirer;
• compliance with prudential requirements; and
• the absence of suspicion regarding money laundering or terrorist financing.

The CSSF may object to a proposed acquisition if any of these conditions are not met; otherwise, approval will be granted. For significant institutions under the SSM, following its review, the CSSF communicates its proposal together with all relevant documentation to the ECB, which retains final authority to object or approve.

Post-Approval and Ongoing Requirements

Once a proposed acquisition is approved, ongoing requirements include:

• notification to the CSSF of any subsequent changes affecting control or qualifying holdings (for example, further increases or decreases crossing regulatory thresholds), whether direct or indirect;
• prompt disclosure to the CSSF of any material changes in ownership structure, governance arrangements, financial condition, or reputation that could affect the institution’s stability or prudent management; and
• ongoing compliance with supervisory requirements such as anti-money laundering and counter-terrorist financing (AML/CTF) obligations, as well as continued adherence to fit and proper standards for shareholders and directors under applicable national law and EU regulations.

If control is acquired without prior approval from the CSSF (and where applicable, the ECB), the authorities may take appropriate measures as provided by law. Such measures may include suspension of voting rights attached to the shares concerned, orders requiring divestment of shares acquired unlawfully, imposition of administrative sanctions or fines, or other remedial actions necessary to safeguard the sound management and stability of the credit institution.

Statutory and Regulatory Requirements

Credit institutions in Luxembourg are required to maintain a clear organisational structure with well-defined, transparent, and consistent lines of responsibility; effective procedures for identifying, managing, monitoring, and reporting risks; as well as adequate internal control mechanisms. These requirements are established by the LFS and further detailed in CSSF Circular 12/552 on central administration, internal governance, and risk management (Circular 12/552). Both the LFS and Circular 12/552 require the permanent existence of robust internal control mechanisms based on the three-lines-of-defence model: operational management as the first line; independent risk management and compliance functions as the second line; and an independent internal audit function as the third line.

The management body – which includes both the board of directors and authorised management – must collectively possess the necessary knowledge, skills, experience, integrity, and professional competence to ensure sound and prudent management at all times. The CSSF assesses both individual members’ integrity (“fit and proper” criteria) as well as collective suitability before appointment; it may object to proposed changes in board composition if these could impair effective governance or prudent oversight.

Furthermore, credit institutions must establish a documented risk appetite framework approved by their management body; implement remuneration policies aligned with long-term institutional interests that do not encourage excessive risk-taking, and adopt comprehensive policies for identifying, preventing, or managing conflicts of interest.

Voluntary Codes and Industry Initiatives

While there is no single national voluntary code specifically applicable to credit institutions in Luxembourg, many institutions – particularly those belonging to international banking groups – adopt group-wide governance frameworks established by their parent entities. These frameworks frequently incorporate international best practices relating to environmental, social, and governance (ESG) criteria and sustainability standards. In addition, the Luxembourg Bankers’ Association (ABBL) promotes ESG and sustainability best practices through recommendations and guidelines which, although not legally binding, encourage member institutions to pursue higher standards of transparency, stakeholder engagement, and ethical conduct beyond minimum legal requirements. Adoption of such voluntary codes remains at the discretion of each institution but can serve as an important tool for enhancing market reputation and stakeholder confidence.

Diversity Requirements

Recent amendments to the LFS, as well as updates to Circular 12/552, have significantly strengthened provisions regarding diversity, independence, and gender balance within the management bodies of Luxembourg credit institutions. These changes implement requirements from Directive (EU) 2019/878 (CRD V), as transposed into Luxembourg law through the LFS.

Credit institutions are now required to adopt a formal diversity policy applicable to their management bodies – including both supervisory and management functions – which must address factors such as gender, professional background, age, and geographical origin. The objective is to ensure a broad range of perspectives and experiences in strategic decision-making processes.

In addition, enhanced independence requirements mandate that a sufficient number of independent members serve on management bodies – particularly in significant institutions – to promote effective oversight and robust governance.

The gender-neutral remuneration principle introduced by CRD V – and implemented in the LFS – applies across all staff whose professional activities have a material impact on the institution’s risk profile (“identified staff”). This principle requires that remuneration policies ensure equal pay for equal work or work of equal value regardless of gender.

Bankers’ Oath or Equivalent Binding Rules of Conduct

Luxembourg does not impose a statutory “Bankers’ Oath” or any equivalent formal pledge of professional conduct akin to those required in some other jurisdictions. However, all employees of credit institutions – including both management and staff – are subject to strict professional conduct rules under the LFS, which are enforced by the CSSF. These rules encompass duties of integrity, confidentiality, diligence, avoidance of conflicts of interest, and compliance with anti-money laundering (AML) obligations. Breaches of these duties may result in disciplinary action or regulatory sanctions.

In addition to statutory requirements, many banks require their employees to adhere to internal codes of ethics or conduct. These internal codes often reinforce legal obligations and may also address broader issues such as ethical behaviour, whistle-blowing procedures, and corporate social responsibility.

Statutory and Regulatory Requirements

In Luxembourg, the appointment of directors and managers (“senior management”) of credit institutions is subject to stringent regulatory scrutiny by the CSSF, pursuant to the LFS and detailed guidance set out in relevant CSSF circulars, such as Circular 12/552 on internal governance. Senior management encompasses members of the management body in both its supervisory and managerial functions – including executive and non-executive directors, board members, chief executive officer, chief risk officer, chief compliance officer – among others. Credit institutions are required to clearly define roles, responsibilities, and reporting lines for each designated individual as part of their internal governance framework.

The process for appointing members of senior management is as follows:

• Prior Notification: Any proposed appointment or change in senior management must be notified to the CSSF before taking effect; in certain cases prior approval may be required.
• Submission Requirements: The notification must include a comprehensive file for each candidate comprising:
1. a detailed curriculum vitae with evidence of professional qualifications and experience;

1. criminal record extracts from all relevant jurisdictions;
2. a declaration of honour including information on other mandates or directorships held;
3. details regarding professional references; and
4. disclosure of any potential conflicts of interest.
• Assessment: The CSSF conducts a thorough fit and proper assessment evaluating integrity, reputation, competence, experience, time commitment (including an assessment as to whether sufficient time can be devoted to duties), independence, and any potential conflicts of interest.
• Additional Information: The CSSF may request interviews with candidates or seek further documentation or clarification as deemed necessary to complete its assessment.

Screening and Ongoing Suitability

The bank is responsible for conducting comprehensive initial due diligence on all candidates for management positions before submitting them to the CSSF. This due diligence must address all aspects of the fit and proper criteria – including integrity, professional competence, experience, time commitment, independence, and absence of conflicts of interest – as set out in the LFS and relevant CSSF circulars.

Ongoing monitoring is required to ensure continued compliance with suitability standards throughout each manager’s tenure. This includes periodic reassessment – such as during annual reviews or following significant events – and prompt action if any concerns arise regarding a manager’s fitness or propriety.

Any change that may affect a manager’s suitability – whether arising from changes in role or function or from new circumstances such as criminal proceedings or loss of professional qualifications – must be promptly notified to the CSSF. The CSSF may then reassess the individual’s suitability and, if necessary, order their removal or replacement.

All persons participating in the management of a credit institution must satisfy fit and proper standards continuously throughout their tenure. Banks are also required to maintain an up-to-date register of key function holders and authorised managers at all times; this register must be available for inspection by the CSSF upon request.

The CSSF regularly reviews institutions’ governance arrangements and fit and proper frameworks during on-site inspections and thematic reviews. Any deficiencies identified during these supervisory activities may result in remedial measures or sanctions imposed by the CSSF.

Individuals Subject to the Remuneration Requirements

Remuneration in Luxembourg credit institutions is governed by the LFS, relevant CSSF circulars, and the European Banking Authority (EBA) Guidelines on sound remuneration policies (EBA/GL/2021/04). These rules implement requirements from CRD V, as transposed into Luxembourg law through the LFS.

The remuneration framework applies to:

• members of the management body (including both executive and non-executive directors);
• senior management responsible for day-to-day operations; and
• identified staff – namely employees whose professional activities have a material impact on the institution’s risk profile (“material risk takers”), as defined in Commission Delegated Regulation (EU) 2021/923.

CRD V introduced flexibility, allowing remuneration rules to be applied on a solo, sub-consolidated, or consolidated basis depending on the group’s organisational structure and risk profile; this determination is subject to regulatory assessment by the CSSF.

The principle of gender-neutral remuneration – formally enshrined by CRD V – requires equal pay for equal work or work of equal value as well as transparent pay structures. Institutions must document their approach to ensuring gender neutrality within their remuneration policies.

Smaller and non-complex institutions may benefit from proportionality waivers with respect to certain deferral requirements and pay-in-instruments obligations; eligibility for such waivers is determined according to specific criteria set out in EU law and detailed further in CSSF guidance.

Relevant Remuneration Principles

Remuneration policies in Luxembourg credit institutions must promote sound and effective risk management, align pay with long-term performance, and discourage excessive risk-taking. These requirements are set out in the LFS, relevant CSSF circulars, EU directives (notably CRD IV/CRD V), and EBA Guidelines on sound remuneration policies. Key requirements include:

• Balance Between Fixed and Variable Pay: Variable remuneration for identified staff – employees whose professional activities have a material impact on the institution’s risk profile – must be appropriately capped relative to fixed pay; it may not exceed 100% of fixed remuneration (or up to 200% with explicit shareholder approval).
• Deferral and Instruments: At least 40% (rising to at least 60% for senior management or higher-risk categories) of variable pay must be deferred over a period of three to five years; at least half of both deferred and non-deferred variable remuneration must consist of shares or equivalent instruments.
• Risk Adjustment and Clawback: Remuneration must be subject to both ex ante (before award) and ex post (after award) risk assessment mechanisms – including malus (downward adjustment before vesting) or clawback (recovery after payment) – where there is evidence of misconduct or significant deterioration in financial performance.
• Governance Oversight: The remuneration policy must be approved by the management body, reviewed annually, and monitored by an independent remuneration committee composed primarily of non-executive or independent directors.
• Gender Neutrality: Pay structures must ensure equal treatment irrespective of gender; this principle is enshrined in CRD V and implemented under Luxembourg law.

Looking ahead, CRD VI is expected to introduce stricter deferral rules, enhanced transparency regarding ESG-linked metrics in remuneration frameworks, and a broader scope for identifying material risk takers; however, these changes are not yet in force.

Regulators’ Supervisory Approach

The CSSF oversees compliance with remuneration requirements in Luxembourg credit institutions. For significant institutions under the SSM, this oversight is exercised in co-ordination with the ECB, which holds direct supervisory authority; for less significant institutions, primary responsibility remains with the CSSF.

Supervisory focus areas include:

• the governance and independence of remuneration committees, ensuring effective oversight and avoidance of conflicts of interest;
• the identification of material risk takers based on both qualitative and quantitative criteria in accordance with Commission Delegated Regulation (EU) 2021/923, as well as the application of proportionality principles for smaller or less complex institutions;
• the implementation of deferral arrangements, malus and clawback mechanisms to ensure alignment between risk outcomes and variable pay; and
• the integration of gender-neutral remuneration principles and ESG-linked policies into overall remuneration frameworks.

If deficiencies are identified during supervisory reviews or inspections, the CSSF may require remediation – including changes to remuneration policies or practices – restrict or suspend variable pay awards, or impose administrative sanctions such as fines or other measures provided by law.

Luxembourg’s anti-money laundering and counter-terrorist financing (AML/CTF) regime is primarily governed by the Law of 12 November 2004 on the Fight Against Money Laundering and Terrorist Financing, as amended (AML Law). The AML transposes the Fourth and Fifth AML Directives into national law and incorporates provisions of the Sixth AML Directive (Directive (EU) 2018/1673). The AML Law is regularly updated to reflect evolving EU requirements as well as international standards such as those set by the Financial Action Task Force (FATF). It is complemented by CSSF Regulation 12-02 and several CSSF circulars, which provide detailed guidance on governance arrangements, internal controls, customer due diligence obligations, reporting requirements, staff training, and risk-based supervision for credit institutions.

As mentioned, in June 2024 the European Union adopted a new AML package consisting of:

• Regulation (EU) 2024/1624 (AMLR), establishing a Single Rulebook for anti-money laundering;
• Regulation (EU) 2024/1620 (AMLA Regulation) creating EU Anti-Money Laundering Authority (AMLA); and
• Directive (EU) 2024/1640 (AMLD6) which will replace the existing directive-based framework by 2027.

These measures aim to harmonise AML/CTF standards across member states through directly applicable regulations, and introduce direct EU-level supervision through the AMLA. The directive will require national transposition within a specified timeframe.

Luxembourg has also implemented robust beneficial ownership transparency measures. The Register of Beneficial Owners (RBE) for companies has been effective since March 2019; the Register of Fiduciaries and Trusts (RFT) has been effective since July 2020. Companies, trustees, and fiduciary agents are required to collect accurate, adequate, and up-to-date beneficial ownership information for filing with these registers. These registers are accessible to competent authorities and, under certain conditions, to members of the public. Non-compliance with these obligations may trigger administrative measures or criminal sanctions.

Core Obligations for Banks

Banks qualify as obliged entities under the AML Law and must apply a risk-based approach proportionate to their size, activities and customer profile. Their principal duties include:

• customer due diligence: identify and verify customers and beneficial owners before entering a business relationship or executing significant transactions;
• enhanced due diligence: apply stricter controls for politically exposed persons (PEPs), high-risk jurisdictions and correspondent banking relationships;
• ongoing monitoring: continuously review transactions and client behaviour to detect unusual or suspicious activity and update KYC information;
• reporting obligations: promptly file suspicious activity reports; failure to report may lead to criminal liability; and
• internal governance: establish sound internal policies, appoint a compliance officer and a person responsible for AML oversight, provide regular staff training, and maintain comprehensive records for at least five years.

Deposit Guarantee Scheme (DGS) Requirements

Luxembourg’s depositor protection regime is governed by the 2015 Law, which transposes DGSD into national law. This framework establishes two distinct but complementary mechanisms:

• the Fonds de Garantie des Dépôts Luxembourg (FGDL), which serves as Luxembourg’s recognised Deposit Guarantee Scheme (DGS) and covers eligible deposits up to EUR100,000 per depositor per institution; and
• the Système d’Indemnisation des Investisseurs Luxembourg (SIIL), which implements Directive 97/9/EC as the Investor Compensation Scheme for claims arising from investment business.

The law aims to protect eligible depositors and investors by ensuring timely repayment of covered deposits and assets when a credit institution or investment firm becomes insolvent or unable to meet its obligations.

All credit institutions authorised in Luxembourg are required to participate in the FGDL. Branches of third-country banks operating in Luxembourg must also be members, whereas branches of EEA banks remain covered by their home-country deposit guarantee schemes under DGSD’s home–host framework.

Credit institutions must:

• clearly inform depositors – both pre-contractually and on an ongoing basis – of DGS coverage and applicable limits;
• maintain accurate depositor data at all times to facilitate swift payouts by the DGS; and
• implement robust internal procedures to identify eligible versus non-eligible deposits consistently.

Administration and Governance

The FGDL is an independent legal entity governed by public law, established under the 2015 Law. The FGDL collects annual risk-based contributions from participating credit institutions, manages its financial resources prudently, and ensures reimbursement of depositors when a credit institution in Luxembourg fails.

Operational oversight and co-ordination are exercised through the Conseil de protection des déposants et des investisseurs (CPDI), an internal executive body within the CSSF. The CPDI manages and administers both the FGDL and the SIIL, instructing payouts when relevant conditions are met.

The FGDL’s intervention is triggered when either:

• the CSSF determines that a credit institution is unable to repay deposits that are due and payable; or
• a court declares the institution insolvent.

Once activated, the FGDL must reimburse covered depositors within seven working days, in accordance with EU standards set by DGSD.

Classes of Depositors and Deposits Covered

Coverage under Luxembourg’s deposit guarantee scheme extends to most natural persons and a wide range of legal entities – including small and medium-sized enterprises (SMEs), non-profit organisations, and certain public authorities – as set out in the 2015 Law. Excluded from coverage are financial institutions, investment firms, insurance undertakings, collective investment schemes, pension funds, and government bodies; these exclusions apply irrespective of whether such entities hold accounts directly or as intermediaries.

The scheme protects cash deposits held in any currency – including current accounts, savings accounts, and term deposits – provided they are repayable by a credit institution participating in the FGDL. Excluded from protection are bearer deposits (due to lack of traceability), deposits arising from money-laundering offences or other criminal activities, and all deposits held by excluded entities.

Special rules

• Temporary High Balances: Certain life events – such as the sale of a primary residence, insurance payouts, or inheritance settlements – are protected up to EUR2,500,000 per depositor per institution for a period of twelve months following the qualifying event.
• Joint Accounts: Each account holder benefits separately from coverage up to the standard limit (EUR100,000).
• Cross-Border Deposits: Deposits at branches of Luxembourg banks located in other EEA countries are protected by the host country’s deposit guarantee scheme; conversely, Luxembourg branches of EEA banks are covered by their respective home-country schemes under the DGSD’s home–host framework.

Coverage Limits and Payout

The standard coverage limit under Luxembourg’s deposit guarantee scheme is EUR100,000 per depositor per credit institution, irrespective of the number or type of accounts held. This limit applies on an individual basis and is aggregated across all eligible deposits and accounts maintained by a depositor at the same bank – including joint accounts, where each account holder benefits separately from coverage up to this amount.

The FGDL pays out compensation in euros (EUR), even for deposits denominated in other currencies; conversion is made using the official exchange rate applicable on the date when unavailability of deposits is determined – either by CSSF decision or court declaration of insolvency. Payments are made within seven working days in accordance with EU standards; in exceptional circumstances where this deadline cannot be met, mechanisms exist to ensure rapid access to funds through partial or advance payments.

For investment-related claims, the SIIL provides protection up to EUR20,000 per investor. This covers client assets – such as securities or other financial instruments – held or administered by failed institutions but does not extend to losses arising from market fluctuations or poor investment performance.

Funding of the Scheme

The FGDL is funded through annual risk-based contributions collected from all member institutions. These contributions are calculated based on each institution’s amount of covered deposits and its individual risk profile, in accordance with Commission Delegated Regulation (EU) 2015/63.

If necessary – when available financial resources fall below the required target level of 0.8% of covered deposits as set by EU law – the FGDL may impose ex post contributions on its members or access back-up financing arrangements. Such arrangements may include borrowing from other deposit guarantee schemes or establishing credit lines with commercial banks to ensure sufficient liquidity.

The FGDL’s assets are strictly segregated from those of its member institutions and are invested conservatively in order to maintain high liquidity and capital preservation, thereby ensuring prompt availability of funds for depositor reimbursement within the statutory payout period.

Basel III Adherence and Implementation

Luxembourg implements the Basel III framework through the CRR, which is directly applicable across the EU, and the Capital Requirements Directive V (CRD V), as transposed into national law by the LFS and complemented by CSSF regulations and circulars. Together, these instruments form part of the Single Rulebook governing prudential standards, internal governance requirements, and disclosure obligations for credit institutions in Luxembourg; this harmonised framework ensures consistency in prudential supervision across all EU member states.

The forthcoming EU banking package – comprising CRR III and CRD VI – will complete implementation of the final Basel III reforms. Key features include the introduction of an output floor (limiting capital benefits from internal models relative to standardised approaches), revised methodologies for calculating credit risk, market risk, and operational risk in line with Basel III standards, enhanced integration of ESG risks into risk management frameworks, stricter conditions for third-country bank access to EU markets, and broader reporting requirements aimed at increasing transparency for both supervisors and market participants. These reforms are expected to be phased in over several years following their adoption at EU level.

Risk-Management Framework

Banks in Luxembourg must operate sound risk-management and governance systems in accordance with the LFS, CRD V as transposed into national law, EBA/GL/2021/05, relevant CSSF circulars – including Circular 12/552 – and CSSF supervisory expectations. Key features include:

• Board and Senior Management Responsibility: The board of directors and senior management are responsible for establishing a robust risk culture, setting strategy, approving a documented risk appetite framework, and ensuring effective internal controls – at all times observing the “four-eyes” principle requiring at least two persons to direct business operations.
• Independent Control Functions: Banks must maintain independent control functions for risk management, compliance, and internal audit; these functions must have sufficient authority, unrestricted access to information, freedom from conflicts of interest, and direct reporting lines to the board.
• ICAAP/ILAAP Processes: Institutions must implement Internal Capital Adequacy Assessment Processes (ICAAP) and Internal Liquidity Adequacy Assessment Processes (ILAAP) to demonstrate ongoing capital and liquidity adequacy; these processes should be forward-looking, regularly reviewed by management bodies, independently validated where appropriate, supported by rigorous stress testing covering severe but plausible scenarios as well as recovery indicators and contingency funding plans.
• Comprehensive Risk Coverage: Risk frameworks must address:
1. credit risk;
2. market risk;
3. liquidity risk;
4. interest rate risk in the banking book (IRRBB);
5. credit spread risk in the banking book (CRRBB);
6. operational risk;
7. ICT/cybersecurity risks;
8. outsourcing risks; and
9. third-party dependencies.
• Operational Resilience Under DORA: With the entry into force of DORA, banks will face mandatory requirements for ICT risk management frameworks, including regular resilience testing procedures for digital systems; incident-reporting standards; oversight of critical third-party service providers; and enhanced operational resilience expectations.
• Supervisory Review Through SREP: Through the Supervisory Review and Evaluation Process (SREP), the CSSF and – for significant institutions under direct ECB supervision – the ECB may impose additional capital requirements or qualitative measures based on an assessment of business models, governance arrangements, risks to capital/liquidity adequacy, internal controls or other supervisory concerns.

Quantity and Quality of Capital

Initial capital

Luxembourg credit institutions must hold a minimum paid-up share capital of EUR8.7 million, which cannot fall below the authorised capital level as set out in the LFS and aligned with Article 12(1) CRR.

Pillar 1 requirements

In addition to the minimum capital requirement, institutions must maintain:

• a total capital ratio of at least 8% of risk-weighted assets (RWAs), composed of eligible own funds (CET1, AT1, T2); and
• a leverage ratio of at least 3%.

Pillar 2 requirements

Under Pillar 2, following SREP, the CSSF may impose institution-specific capital add-ons to address risks not fully reflected under Pillar 1 requirements.

Additional capital buffers (to be met in CET1)

• Capital Conservation Buffer (CCoB) – currently 2.5% of total risk exposures;
• Countercyclical Buffer (CCyB) – set quarterly by the CSSF; for Luxembourg in Q4 2025 currently 0.5%;
• Systemic Buffers:
1. Global Systemically Important Institutions (G-SII) Buffer – between 1% and 3.5%;
2. Other Systemically Important Institutions (O-SII) Buffer – up to 3%; and
3. Systemic Risk Buffer (SyRB) – minimum 1%, applicable to exposures posing systemic risk; no statutory maximum.       

These buffers are cumulative where applicable.

Breaching the combined buffer requirement automatically triggers Maximum Distributable Amount (MDA) restrictions on dividends, Additional Tier One coupon payments, and variable remuneration in accordance with CRD/CRR rules.

Liquidity Requirements

To strengthen both short- and long-term funding resilience, Luxembourg applies the Basel liquidity ratios as set out in the CRR, which is directly applicable in Luxembourg and further detailed by EBA guide-lines and CSSF circulars:

• Liquidity Coverage Ratio (LCR) ≥ 100%: This requires banks to maintain sufficient high-quality liquid assets (HQLA) to cover total net cash outflows over a 30-day period of severe stress, thereby ensuring short-term liquidity resilience.
• Net Stable Funding Ratio (NSFR) ≥ 100%: This promotes stable, longer-term funding by requiring institutions to maintain an amount of available stable funding at least equal to required stable funding over a one-year horizon.

In addition to meeting these quantitative ratios, banks must implement robust qualitative liquidity-risk governance frameworks – including early-warning indicators, comprehensive stress testing covering both idiosyncratic and market-wide scenarios, actionable contingency funding plans, and ongoing monitoring of asset encumbrance as well as intraday liquidity positions – in accordance with CRR requirements and EBA/CSSF guidance.

Systemically Important Banks and Supervisory Intensity

Luxembourg banks fall under the SSM:

• Significant institutions (SIs) are directly supervised by the ECB pursuant to the SSM.
• Less-significant institutions (LSIs) remain under the supervision of the CSSF, subject to overarching ECB oversight.

Systemically important banks face heightened supervisory expectations:

• Higher Capital Buffers: O-SII/G-SII buffers – and where applicable, a Systemic Risk Buffer (SyRB) – must be maintained in accordance with CRD V/CRR II requirements.
• Enhanced Pillar 2 Requirements and Data Quality: These institutions are subject to institution-specific capital add-ons determined through SREP, elevated data-quality standards, and must align their risk-data aggregation processes with the Basel Committee on Banking Supervision’s Principles for Effective Risk Data Aggregation and Risk Reporting (BCBS 239).
• MREL/TLAC Obligations: Minimum Requirement for Own Funds and Eligible Liabilities (MREL)/Total Loss-Absorbing Capacity (TLAC) requirements often necessitate issuance of senior non-preferred debt, Tier 2 or Additional Tier 1 instruments; compliance is monitored by the Single Resolution Board for cross-border groups.
• Recovery and Resolution Planning: Robust recovery and resolution plans must be maintained, periodically tested, and integrated into SREP findings to ensure credible options for restoring viability or facilitating orderly resolution in stress scenarios.

Luxembourg’s regime for the recovery, resolution, and insolvency of banks is primarily governed by the 2015 Law, which transposes the BRRD into national law. This legislation establishes a comprehensive framework covering recovery planning, early intervention powers, resolution measures – including depositor protection – and insolvency proceedings.

At EU level, this framework operates within the Single Resolution Mechanism (SRM), created by Regulation (EU) No 806/2014. Under this mechanism:

• The Single Resolution Board (SRB) acts as the central resolution authority for significant institutions and cross-border banking groups.
• The CSSF serves as Luxembourg’s national resolution authority responsible for less significant institutions (LSIs) as well as local implementation of SRB decisions.

Once an institution is deemed “failing or likely to fail”, and where neither private nor supervisory measures can restore viability, the relevant resolution authority may apply one or more statutory resolution tools:

• sale of business tool – transfer all or part of a failing bank’s business to a private-sector purchaser;
• bridge institution tool – transfer assets/rights/liabilities to a temporary bridge bank established by the authority;
• asset separation tool – transfer impaired/non-performing assets to an asset management vehicle (“bad bank”) to isolate risk; and/or
• bail-in tool – write down or convert into equity certain unsecured liabilities so shareholders/creditors absorb losses before public funds are used.

All banks are required to prepare detailed recovery plans setting out measures to restore financial soundness under stress scenarios; these plans are reviewed annually by the CSSF (or ECB for significant institutions). Supervisors may also exercise early-intervention powers – such as requiring management changes or restricting certain business activities – to stabilise an institution before insolvency becomes inevitable.

Resolution is initiated when:

• the institution is failing or likely to fail;
• there is no reasonable prospect that private/supervisory measures will prevent failure; and
• resolution is necessary in the public interest – notably to safeguard financial stability and protect depositors/investors.

Legal and Regulatory Framework

ESG regulation in Luxembourg banking is driven primarily by EU law, with national implementation and supervision by the CSSF. Key instruments include:

• Regulation (EU) 2019/2088 on sustainability-related disclosures in the financial services sector (SFDR);
• Regulation (EU) 2020/852 establishing the EU Taxonomy for environmentally sustainable activities; and
• Directive (EU) 2022/2464 on corporate sustainability reporting (CSRD) – relevant bill 8370 to transpose this directive into Luxembourg.

Integration of ESG Risks

Banks must identify, measure and manage ESG risks within their existing risk frameworks. In practice this requires:

• incorporating environmental and social factors into credit and investment risk assessments;
• performing scenario analysis and climate stress tests, covering both physical and transition risks;
• embedding ESG considerations within the Internal Capital Adequacy Assessment Process (ICAAP) and Internal Liquidity Adequacy Assessment Process (ILAAP); and
• demonstrating board-level oversight and documented governance of sustainability risks.

The CSSF’s supervisory reviews increasingly test how ESG risks are integrated into ICAAP/ILAAP methodologies and whether quantitative data support those assessments.

Disclosure and Reporting Obligations

Pillar 3 ESG disclosures

Article 449a CRR and the EBA ITS on ESG disclosures (EBA/ITS/2022/01) require large institutions to publish quantitative data on:

• exposure to carbon-intensive sectors;
• alignment with the EU Taxonomy (eg, Green Asset Ratio); and
• financed emissions and transition plans.

These disclosures are increasingly assessed during SREP reviews and may influence Pillar 2 capital expectations.

CSRD and sustainability reporting

The CSRD, once transposed into national law, extends non-financial reporting to large companies and listed SMEs, including banks. Reports must follow the European Sustainability Reporting Standards (ESRS), use digital tagging (XBRL), and provide double-materiality analysis – covering both how sustainability issues affect the bank and how the bank affects society and the environment. The CSSF has designated CSRD compliance as a supervisory priority.

Legal and Regulatory Framework

From January 2025 onwards – with full application of DORA – Luxembourg credit institutions must comply with enhanced digital operational resilience requirements.

Incident reporting

Institutions must classify ICT incidents by severity; major incidents must be reported promptly to the CSSF using standardised templates with follow-up submissions including root-cause analysis/remediation plans. Minor incidents must still be logged internally for audit purposes.

Digital operational resilience testing

Regular testing – including threat-led penetration testing at least every three years for critical/systemically important institutions – is mandatory; all vulnerabilities identified through such testing must be remediated/documented for supervisory review.

ICT third-party risk management

Outsourcing arrangements involving ICT services require enhanced due diligence/contractual oversight: maintaining a register of all arrangements; ensuring contracts include mandatory clauses on access/audit/termination; preparing contingency/exit strategies; with certain providers designated as critical ICT service providers subject to direct EU-level oversight under DORA.

Information sharing

Banks may participate in cyber-threat intelligence-sharing networks – provided confidentiality obligations/competition safeguards are respected – to strengthen sector-wide resilience against emerging threats such as cyber-attacks.

CSSF Supervisory Approach

The CSSF will supervise compliance with DORA through thematic reviews, incident-reporting assessments, and on-site inspections in accordance with both DORA requirements and established supervisory practices.

Initial focus areas include:

• governance arrangements and board-level awareness of ICT risks, including the board’s responsibility for setting digital operational resilience strategy and ensuring effective oversight;
• the quality, accuracy, and timeliness of ICT-related incident notifications as required by DORA;
• ongoing monitoring, due diligence, contractual compliance, and risk assessment relating to critical third-party service providers.

Where weaknesses are detected during supervisory activities, the CSSF may impose remedial actions or – where warranted – administrative sanctions such as fines or other measures provided under DORA and national law. The authority also co-ordinates with other EU regulators through the Joint Oversight Forum established by DORA to ensure consistent cross-border enforcement.

Luxembourg’s existing ICT risk management standards under CSSF Circular 20/750 (on information and communication technology (ICT) and security risk management) and outsourcing standards under CSSF Circular 22/806 (on outsourcing arrangements), as amended following the entry into force of DORA, remain important sources of regulatory obligations for all relevant institutions.

Banking regulatory updates in Luxembourg are predominantly steered at the EU level. CSSF and the BCL are actively aligning domestic requirements with new EU rulebooks while modernising their supervisory approach through increased use of data analytics (“SupTech”), enhanced data collection processes, risk-based thematic reviews, and targeted inspections.

Going forward, banks in Luxembourg will need to implement several important reforms in laws and regulations, including, but not limited to, the following outlined below.

• Prudential Reforms Under CRD VI and CRR III: These measures will complete implementation of final Basel III standards in the EU – introducing an output floor for internal models, revised methodologies for credit/market/operational risk calculations, stricter third-country access conditions for non-EU banks, as well as expanded reporting obligations.
• ESG Integration Into Prudential and Disclosure Frameworks: ESG factors will become embedded within both prudential regulation (including risk management practices and capital planning) and disclosure requirements – reflecting evolving EBA guidelines as well as broader EU sustainable finance initiatives.
• AML Package and Creation of AMLA: The adoption of AMLR, AMLA Regulation, and AMLD6 will harmonise anti-money laundering standards across member states, establish AMLA, and fundamentally reshape financial crime compliance as well as cross-border supervision.
• Amendments to the EU Securitisation Regulation and Payments Legal Framework: Changes to securitisation rules will impact due diligence obligations, risk retention requirements, and transparency standards. Parallel reforms to payments law – currently under PSD2 – are expected to address open banking developments, consumer protection enhancements, fraud prevention measures, and operational resilience expectations.

The CSSF’s supervisory strategy remains pragmatic; however, expectations regarding documentation quality and data integrity continue to rise across all risk disciplines. Institutions should anticipate more granular data requests from supervisors alongside heightened scrutiny of internal controls, governance arrangements, and compliance documentation.

CRD VI/CRR III Implementation

The CRD VI and the CRR III, published in July 2024, will fundamentally reshape the EU prudential landscape from 2026 onwards. In Luxembourg, the process of transposing CRD VI commenced in October 2025 with Bill No 8627, which will amend the LFS. By contrast, CRR III is directly applicable across all member states without further national implementation measures.

The main policy shifts introduced by these instruments are described below.

• Governance and Suitability: Expanded fit-and-proper requirements mandate more detailed suitability assessments for members of management bodies and key function holders – including ongoing monitoring – together with reinforced diversity objectives and mandatory documentation of individual responsibilities within management bodies.
• ESG Risk Integration: Boards are now required to incorporate environmental and social risk factors into their overall business strategy, risk appetite statements, internal governance arrangements, and control functions; this includes explicit integration of climate-related risks into risk management processes.
• Third-Country Branches: Foreign banks wishing to offer banking services in any EEA country will be required to establish a supervised branch within that country – subject to host state authorisation and ongoing supervision – replacing previous models based on cross-border service provision or passporting.

Member states must transpose CRD VI by 1 January 2026; its provisions will apply from 10 January 2026 except for those relating to third-country branches – which become applicable from 11 January 2027. Transitional measures may apply for certain requirements; institutions should closely monitor both national legislative developments (including Bill No 8627) and CSSF guidance regarding implementation timelines.

ESG and CSRD Integration

The Corporate Sustainability Reporting Directive (CSRD – Directive (EU) 2022/2464) is being transposed in Luxembourg via Bill No 8370, tabled in March 2024. The CSRD replaces and significantly expands upon the Non-Financial Reporting Directive by introducing more detailed sustainability reporting obligations for a broader range of entities. The first reporting cycle for large public-interest entities commenced with the 2025 financial year, requiring use of the European Sustainability Reporting Standards (ESRS) – which set out comprehensive disclosure requirements on ESG matters – and digital XBRL tagging from 2026 to enhance comparability across the EU.

For banks, ESG considerations have evolved beyond mere disclosure obligations to become integral components of risk management frameworks. The EBA’s forthcoming 2025 Guidelines on ESG Risk Management and Supervision will formalise expectations that institutions integrate climate-related and environmental risks into their governance structures, business strategies, credit policies, and ICAAP processes; these guidelines will apply to both significant institutions under ECB supervision and less significant institutions overseen by national authorities such as the CSSF.

The CSSF has already begun incorporating ESG elements into SREP assessments, including thematic reviews assessing:

• the robustness of climate scenario analysis;
• the consistency between CSRD reports, Pillar 3 disclosures under CRR/CRD V, and internal risk frameworks; and
• board-level understanding of both transition risks (arising from policy or technological changes towards a low-carbon economy) and physical risk exposures (stemming from climate-related events).

EU AML Package and AML Authority

The EU’s new Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) package – comprising AMLR, AMLD6, and the AMLA Regulation, which establishes the pan-European AMLA, will introduce a single rulebook and a centralised supervision model across the European Union. AMLA, headquartered in Frankfurt, will co-ordinate national authorities and directly supervise selected high-risk or systemically important cross-border institutions from 2026 onwards. National authorities will continue to supervise most domestic entities under harmonised standards with enhanced co-ordination.

Luxembourg will amend the Law of 12 November 2004 on AML/CFT to align with this new regime. The CSSF is expected to update its sectoral AML Handbook, risk-factor guidance, and reporting templates once relevant EU secondary legislation is finalised; transitional arrangements may apply during implementation.

Key innovations include:

• harmonised customer due diligence standards across member states;
• enhanced beneficial ownership transparency through stricter register requirements;
• common sanctions lists facilitating uniform application of restrictive measures; and
• new reporting channels for suspicious transaction data designed to streamline communication with Financial Intelligence Units (FIUs) and AMLA.

For Luxembourg banks, this package signals more intensive cross-border co-operation among supervisors and a greater reliance on data-driven monitoring techniques. Institutions will need to modernise screening tools, update group-wide policies and procedures, enhance data quality controls, and ensure their compliance frameworks are robust enough to meet heightened regulatory expectations across all jurisdictions in which they operate.

Securitisation Refit – Streamlining Private Transactions

The EU Securitisation Regulation (Regulation (EU) 2017/2402) is undergoing significant revision as part of the “Securitisation Refit” – a reform initiative aimed at simplifying the regulatory framework and revitalising European securitisation markets within the broader context of capital markets union. Luxembourg, as one of the EU’s key jurisdictions for securitisation activity, is expected to be significantly impacted by these changes.

Key amendments proposed for private securitisations include:

• a simplified, principles-based due diligence process designed to reduce prescriptive requirements while ensuring robust risk assessment by institutional investors;
• reduced transparency requirements for private securitisations, distinguishing them from public transactions but retaining core disclosures necessary for investor protection;
• adjusted criteria for Simple, Transparent and Standardised (STS) securitisations – including synthetic on-balance-sheet deals – to facilitate their use as effective capital management tools; and
• appointment of a lead supervisor for cross-border securitisations in order to streamline supervision and reduce regulatory fragmentation.

The reform aims to strike an appropriate balance between investor protection and market efficiency, acknowledging the operational burden imposed by previous disclosure templates. Its overarching objective is to enhance securitisation transactions within the European Union as an essential tool for deploying more funds into the real economy – particularly supporting SME financing – and improving secondary market liquidity.

Luxembourg-originated securitisations – especially private and synthetic structures – are expected to benefit from reduced administrative friction, faster execution timelines, and better alignment with capital-relief objectives. Nevertheless, strict compliance with STS standards and due diligence criteria remains critical in order to preserve investor confidence and ensure continued regulatory recognition.

The relevant legislative proposal was released in June 2025; amendments are expected to be implemented in 2026 subject to completion of the EU legislative process. Transitional measures may apply depending on final adoption timelines.

PSD3 and PSR – The New Payments Architecture

The European Commission’s proposals for a new Payment Services Directive (PSD3) and a directly applicable Payment Services Regulation (PSR) are set to modernise Europe’s payments framework by replacing PSD2 (Directive (EU) 2015/2366). This reform aims to strengthen consumer protection, enhance fraud prevention measures, improve open-banking security, and level the regulatory playing field between banks and fintechs.

The package introduces clearer rules on access-to-account interfaces (APIs), expands data-sharing obligations for authorised third-party providers while safeguarding customer privacy, and establishes consistent standards for instant payments as well as strong customer authentication (SCA). Once adopted, the PSR will have direct effect across all member states; PSD3 will require transposition into Luxembourg law – likely through amendments to the 2009 Law.

The CSSF – which supervises payment institutions and e-money institutions – is preparing to adapt its licensing regime and safeguarding requirements once final texts are approved. The CSSF is also assessing alignment between PSR requirements and DORA due to overlapping cyber risk management and incident-reporting obligations.

Implementation of PSD3/PSR will have several impacts on payment operations:

• Banks and payment institutions will face tighter fraud-reporting obligations as well as stronger reimbursement rights for victims of payment fraud – including mandatory refund timelines in certain scenarios.
• Open banking rules will be clarified; participants must enhance interface reliability, authentication processes, and compliance with new API standards.
• Providers offering Buy Now, Pay Later (BNPL) or embedded-finance products must co-ordinate with Consumer Credit Directive II (Directive (EU) 2023/2225), which extends conduct-of-business rules – including pre-contractual information provision – to short-term digital credit products.

Adoption of the final texts of the PSD3/PSR package is expected in late 2025 or early 2026.

EBA SREP and Stress-Testing Framework Update

The EBA launched consultations in October 2025 on revised Guidelines for SREP as well as on supervisory stress-testing methodologies. These reforms reflect both the CRD VI package and DORA’s operational resilience concepts by integrating ESG, ICT, and governance risk factors more explicitly into prudential assessments. SREP remains a cornerstone of EU banking supervision; EBA Guidelines are binding on national authorities such as the CSSF through the “comply or explain” mechanism.

The updated SREP will:

• standardise the treatment of ESG risk drivers across credit, market, and operational risk categories to ensure consistent integration into banks’ risk management frameworks;
• incorporate digital operational resilience metrics to assess banks’ preparedness for severe ICT disruptions in line with DORA requirements; and
• strengthen links between qualitative findings – such as governance or risk management weaknesses – and Pillar 2 capital guidance (P2G), with increased emphasis on board-level engagement with ESG and ICT risks.

For supervisory stress testing, the EBA will move toward a more forward-looking, scenario-based approach requiring granular data on climate transition risks, physical risks from environmental events, and cyber-incident losses. Scenario calibration must be robustly documented and subject to board-level oversight.

Luxembourg institutions should prepare for more detailed requests under ICAAP and ILAAP processes – including comprehensive documentation of model assumptions, scenario calibration methodologies, data sources used in stress testing, and evidence of board-level oversight over stress-test governance. While smaller banks will continue to benefit from proportionality in supervisory expectations, all entities must demonstrate clear traceability between their internal risk frameworks and reported ESG/ICT metrics.

The CSSF plans to apply this new framework in its 2026 supervisory cycle – complementing macroprudential assessments conducted by the BCL.

Regulatory Outlook 2026-2027

Luxembourg’s banking regulatory environment is entering one of its most dynamic periods in recent years, characterised by multiple amendments, new legislative packages – including CRD VI/CRR III, DORA, CSRD, the AML package with AMLA establishment, and the Securitisation Refit – and evolving supervisory expectations. Most of these reforms are EU-driven as part of a broader effort to strengthen the resilience, transparency, and competitiveness of Europe’s financial sector. Banks are now expected to adapt their operations to a framework that emphasises sustainability integration, digital-by-design supervision, and co-ordinated evidence-based governance.

Three themes will define the coming regulatory cycle:

• Sustainability: ESG considerations are becoming embedded in prudential supervision, risk management frameworks (including ICAAP), disclosure obligations (CSRD/ESRS; Pillar 3), and board-level accountability. Supervisors expect robust climate scenario analysis, consistency between sustainability disclosures and internal risk frameworks, and clear board responsibility for managing ESG risks.
• Digital-By-Design: Reporting and compliance processes are shifting toward structured, automated, technology-enabled formats – driven by initiatives such as DORA and PSR – requiring significant upgrades to information systems architecture, real-time data pipelines, cyber-resilience measures, and incident-reporting capabilities.
• Integrated Risk Perspective: Prudential (capital/liquidity), ESG (climate/transition/physical), operational (ICT/cyber), and conduct risks are increasingly treated as interdependent elements within banks’ overall governance strategies. Supervisors assess how these risks interact through processes such as SREP – which now explicitly links qualitative findings across domains to capital guidance.

In practice, success will depend on institutions’ ability to align risk management, finance, and ESG compliance functions around shared data architectures and control frameworks. While the CSSF continues to apply a proportionate approach tailored to institution size or complexity, it expects demonstrable readiness for change initiatives, credible project governance, robust documentation, and consistent implementation across all business lines.

The years ahead will focus less on introducing new obligations than on proving that governance structures, systems integration efforts, and high-quality data can deliver regulatory outcomes efficiently and transparently within the EU’s modern supervisory model. Institutions achieving this integration early will be best placed to maintain regulatory confidence – and operational resilience – in an increasingly complex European landscape.